skip to main content
research-article

KJS: a complete formal semantics of JavaScript

Published:03 June 2015Publication History
Skip Abstract Section

Abstract

This paper presents KJS, the most complete and throughly tested formal semantics of JavaScript to date. Being executable, KJS has been tested against the ECMAScript 5.1 conformance test suite, and passes all 2,782 core language tests. Among the existing implementations of JavaScript, only Chrome V8's passes all the tests, and no other semantics passes more than 90%. In addition to a reference implementation for JavaScript, KJS also yields a simple coverage metric for a test suite: the set of semantic rules it exercises. Our semantics revealed that the ECMAScript 5.1 conformance test suite fails to cover several semantic rules. Guided by the semantics, we wrote tests to exercise those rules. The new tests revealed bugs both in production JavaScript engines (Chrome V8, Safari WebKit, Firefox SpiderMonkey) and in other semantics. KJS is symbolically executable, thus it can be used for formal analysis and verification of JavaScript programs. We verified non-trivial programs and found a known security vulnerability.

References

  1. E. Arvidsson. V8 Issue 2243. https://code.google.com/p/v8/ issues/detail?id=2243, 2012. Accessed: April 22, 2015.Google ScholarGoogle Scholar
  2. S. Bandhakavi, S. T. King, P. Madhusudan, and M. Winslett. VEX: Vetting Browser Extensions for Security Vulnerabilities. In USENIX Security, pages 22–22. USENIX, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. M. Bodin, A. Chargueraud, D. Filaretti, P. Gardner, S. Maffeis, D. Naudziuniene, A. Schmitt, and G. Smith. A Trusted Mechanised JavaScript Specification. In POPL, pages 87–100. ACM, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. D. Bogdanas and G. Rosu. K-Java: A Complete Semantics of Java. In POPL, pages 445–456. ACM, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. D. Bruant. ECMAScript Bug 56. https://bugs.ecmascript.org/ show_bug.cgi?id=56#c3, 2011. Accessed: April 22, 2015.Google ScholarGoogle Scholar
  6. D. Bruant. Mozilla Bug 641214. https://bugzilla.mozilla. org/show_bug.cgi?id=641214, 2011. Accessed: April 22, 2015.Google ScholarGoogle Scholar
  7. M. Chevalier-Boisvert, E. Lavoie, M. Feeley, and B. Dufour. Bootstrapping a Self-hosted Research Virtual Machine for JavaScript: An Experience Report. In Proceedings of the 7th Symposium on Dynamic Languages, pages 61–72. ACM, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. D. Crockford. JavaScript: The Good Parts. O’Reilly Media, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. L. de Moura and N. Bjørner. Z3: An Efficient SMT Solver. In TACAS, volume 4963, pages 337–340. LNCS, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Ecma TC39. ECMAScript Harmony. https://mail.mozilla.org/ pipermail/es-discuss/2008-August/003400.html, 2008. Accessed: April 22, 2015.Google ScholarGoogle Scholar
  11. Ecma TC39. Standard ECMA-262 ECMAScript Language Specification Edition 5.1, June 2011.Google ScholarGoogle Scholar
  12. Ecma TC39. Draft Specification of ECMA-262 6th Edition. http://wiki.ecmascript.org/doku.php?id=harmony: specification_drafts, 2014. Accessed: April 22, 2015.Google ScholarGoogle Scholar
  13. Ecma TC39. TC39 Meeting Minutes. https://github.com/ rwaldron/tc39-notes/blob/master/es6/2014-09/sept-23. md#somehow-we-started-talking-about-test262, 2014.Google ScholarGoogle Scholar
  14. Accessed: April 22, 2015.Google ScholarGoogle Scholar
  15. Ecma TC39. Test262: ECMAScript Language Conformance Test Suite. http://test262.ecmascript.org, 2014. Accessed: April 22, 2015.Google ScholarGoogle Scholar
  16. C. Ellison and G. Rosu. An Executable Formal Semantics of C with Applications. In POPL, pages 533–544. ACM, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. D. Filaretti and S. Maffeis. An Executable Formal Semantics of PHP. In ECOOP, volume 8586, pages 567–592. LNCS, 2014.Google ScholarGoogle Scholar
  18. C. Fournet, N. Swamy, J. Chen, P.-E. Dagand, P.-Y. Strub, and B. Livshits. Fully Abstract Compilation to JavaScript. In POPL, pages 371–384. ACM, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. P. A. Gardner, S. Maffeis, and G. D. Smith. Towards a Program Logic for JavaScript. In POPL, pages 31–44. ACM, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. S. Ghosh, D. Elenius, W. Li, P. Lincoln, N. Shankar, and W. Steiner. Automatically Extracting Requirements Specifications from Natural Language. CoRR, abs/1403.3142, 2014.Google ScholarGoogle Scholar
  21. S. Guarnieri and B. Livshits. GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for Javascript Code. In USENIX Security, pages 151–168. USENIX, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. S. Guarnieri, M. Pistoia, O. Tripp, J. Dolby, S. Teilhet, and R. Berg. Saving the World Wide Web from Vulnerable JavaScript. In ISSTA, pages 177–187. ACM, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. A. Guha, S. Krishnamurthi, and T. Jim. Using Static Analysis for Ajax Intrusion Detection. In WWW, pages 561–570. ACM, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. A. Guha, C. Saftoiu, and S. Krishnamurthi. The Essence of Javascript. In ECOOP, volume 6183, pages 126–150. LNCS, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. D. Guth. A Formal Semantics of Python 3.3. Master’s thesis, University of Illinois at Urbana-Champaign, July 2013.Google ScholarGoogle Scholar
  26. D. Herman and C. Flanagan. Status Report: Specifying Javascript with ML. In Proceedings of the 2007 Workshop on Workshop on ML, pages 47–52. ACM, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. D. Herman, L. Wagner, and A. Zakai. asm.js. http://asmjs.org, 2014. Accessed: April 22, 2015.Google ScholarGoogle Scholar
  28. V. Kashyap, K. Dewey, E. A. Kuefner, J. Wagner, K. Gibbons, J. Sarracino, B. Wiedermann, and B. Hardekopf. JSAI: A Static Analysis Platform for JavaScript. In FSE, pages 121–132. ACM, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. H. Lee, S. Won, J. Jin, J. Cho, and S. Ryu. SAFE: Formal Specification and Implementation of a Scalable Analysis Framework for ECMAScript. In Proceedings of the 2012 International Workshop on Foundations of Object-Oriented Languages. ACM, 2012.Google ScholarGoogle Scholar
  30. S. Maffeis, J. C. Mitchell, and A. Taly. An Operational Semantics for JavaScript. In APLAS, volume 5356, pages 307–325. LNCS, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Mean.io. MEAN: A Fullstack Javascript Framework. http://mean. io/, 2014. Accessed: April 22, 2015.Google ScholarGoogle Scholar
  32. J. Meseguer. Conditional Rewriting Logic as a Unified Model of Concurrency. Theoretical Computer Science, 96(1):73–155, 1992. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. M. Nordio, C. Calcagno, and C. A. Furia. Javanni: A Verifier for JavaScript. In Fundamental Approaches to Software Engineering, volume 7793, pages 231–234. LNCS, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. J. Orendorff. Mozilla Bug 779682. https://bugzilla.mozilla. org/show_bug.cgi?id=779682, 2012. Accessed: April 22, 2015.Google ScholarGoogle Scholar
  35. D. Park. WebKit Bug 138859, 138858; V8 Issue 3704; ECMA-262 Bug 3427, 3426; S5 Issues 55, 57, 59. https://bugs.webkit.org/show_bug.cgi?id=138859, https://bugs.webkit.org/show_bug.cgi?id=138858, https://code.google.com/p/v8/issues/detail?id=3704, https://bugs.ecmascript.org/show_bug.cgi?id=3427, https://bugs.ecmascript.org/show_bug.cgi?id=3426, https://github.com/brownplt/LambdaS5/issues/55, https://github.com/brownplt/LambdaS5/issues/57, https://github.com/brownplt/LambdaS5/issues/59, 2014.Google ScholarGoogle Scholar
  36. Accessed: April 22, 2015.Google ScholarGoogle Scholar
  37. D. Park and A. Stefanescu. Supplementary material. https:// github.com/kframework/javascript-semantics, 2014.Google ScholarGoogle Scholar
  38. Accessed: April 22, 2015.Google ScholarGoogle Scholar
  39. J. G. Politz, S. A. Eliopoulos, A. Guha, and S. Krishnamurthi. ADsafety: Type-based Verification of JavaScript Sandboxing. In USENIX Security, pages 12–12. USENIX, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. J. G. Politz, M. J. Carroll, B. S. Lerner, J. Pombrio, and S. Krishnamurthi. A Tested Semantics for Getters, Setters, and Eval in JavaScript. In Proceedings of the 8th Symposium on Dynamic Languages, pages 1–16. ACM, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. J. Regehr, Y. Chen, P. Cuoq, E. Eide, C. Ellison, and X. Yang. Test-case Reduction for C Compiler Bugs. In PLDI, pages 335–346. ACM, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. G. Rosu and T. F. Serbanuta. An Overview of the K Semantic Framework. Journal of Logic and Algebraic Programming, 79(6): 397–434, 2010.Google ScholarGoogle Scholar
  43. G. Rosu and A. Stefanescu. Checking Reachability Using Matching Logic. In OOPSLA, pages 555–574. ACM, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. M. Samuel. Properties of Interpreters or the Browser Environment that allow Privilege Escalation. https://code.google.com/p/ google-caja/wiki/AttackVectors, 2009. Accessed: April 22, 2015.Google ScholarGoogle Scholar
  45. M. Samuel. Attack Vectors: Global Object Poisoning. https://code. google.com/p/google-caja/wiki/GlobalObjectPoisoning, 2009. Accessed: April 22, 2015.Google ScholarGoogle Scholar
  46. T. F. Serbanuta, A. Arusoaie, D. Lazar, C. Ellison, D. Lucanu, and G. Rosu. The K Primer (version 3.3). In Proceedings of the Second International Workshop on the K Framework and its Applications, volume 304, pages 57–80. ENTCS, 2013.Google ScholarGoogle Scholar
  47. G. Smith. ECMA-262 Bug 1444. https://bugs.ecmascript.org/ show_bug.cgi?id=1444, 2013. Accessed: April 22, 2015.Google ScholarGoogle Scholar
  48. A. Taly, U. Erlingsson, J. C. Mitchell, M. S. Miller, and J. Nagra. Automated Analysis of Security-Critical JavaScript APIs. In S&P (Oakland), pages 363––378. IEEE, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. A. Zakai. Emscripten: An LLVM-to-JavaScript Compiler. In SPLASH, pages 301–312. ACM, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. KJS: a complete formal semantics of JavaScript

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM SIGPLAN Notices
        ACM SIGPLAN Notices  Volume 50, Issue 6
        PLDI '15
        June 2015
        630 pages
        ISSN:0362-1340
        EISSN:1558-1160
        DOI:10.1145/2813885
        • Editor:
        • Andy Gill
        Issue’s Table of Contents
        • cover image ACM Conferences
          PLDI '15: Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation
          June 2015
          630 pages
          ISBN:9781450334686
          DOI:10.1145/2737924

        Copyright © 2015 ACM

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 3 June 2015

        Check for updates

        Qualifiers

        • research-article

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!